NSA Can Hack and Spy on Any iPhone Any Time

| Analysis

Everything you do on your iPhone may be open to NSA snooping thanks to a covert software the agency can install without user's knowledge. Apparently the app, called Dropout Jeep, can remotely send all of your text messages, contacts and voicemails to the NSA, and can activate your iPhone's camera or mic for real time surveillance, too.

Security researcher says NSA can spy on your iPhoneSecurity researcher says NSA can spy on your iPhone

In a presentation at the 30th Chaos Communication Congress in Germany, security researcher Jacob Applebaum detailed the NSA's iPhone spying capabilities. Along with being able to use Dropout Jeep to collect your conversations and contacts, the agency can use cell towers to find your location, and can remotely push new files to user's iPhones.

The NSA documents Mr. Applebaum referenced say it has a perfect track record for installing Dropout Jeep on targeted iPhones, meaning they have been able to successfully install the software on every iPhone they want. Based on the agency's success rate and the amount of data they're able to collect, Mr. Applebaum questions Apple's involvement.

He said in a presentation at the conference,

I don't really believe that Apple didn't help them. I can't really prove it, but they [the NSA] literally claim that anytime they target an iOS device, that it will succeed for implantation. Either they have a huge collection of exploits that work against Apple products, meaning that they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves. Not sure which one it is. I'd like to believe that since Apple didn't join the PRISM program until after Steve Jobs died, that maybe it's just that they write shitty software.

PRISM is an NSA program to gain back door access to company servers so it can gather personal information and user activity without first gaining a court order. Apple has  claimed it doesn't participate in PRISM, and went so far as to say it hadn't even heard of the program until it first appeared in the news in June 2013.

In a public statement Apple said, "We do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order."

Apple has since asked the NSA for better transparency on surveillance, and has said that text messages sent through iMessages are encrypted and that it can't convert them back to readable text.

Apple has also said that it doesn't collect data about user activities. If true, that would make a secret back door into the company's servers less valuable, and would make something lie Dropout Jeep far more useful since it allows the NSA to gather whatever information it wants without directly involving Apple or its servers.

It's a safe assumption that if the NSA has developed clandestine surveillance malware for the iPhone, it has done the same for other smartphone platforms, too. Android OS, Windows Mobile, and BlackBerry have all likely been targeted with similar malware, too.

A 2008 document that details Dropout Jeep said that in needed to be installed via "close access methods," but that the agency was working on a way to remotely install the malware. Considering that was five years ago, it's possible the NSA has moved on to remote installation, which could give the agency the ability to install its monitoring tools on any iPhone anywhere in the world at any time.

 

Balancing the right to privacy with national security is always a tricky act. While the NSA will deny the existence of many surveillance programs regardless of whether or not they actually exist, the number of leaked documents show the agency is involved in collecting massive amounts of personal information without court order or consent, and that means the scales have tipped away from privacy in a big way.

[Thanks to The Daily Dot for the heads up.]

Comments

gnasher729

It’s very easy to make accusations, Mr. Applebaum. Especially when evidence would be hard to find, so you can hide behind that.

Davey Ho

The above comment is either a feeble attempt by a NSA agent, or a display of ignorance by a low information voter. There is absolutely NO doubt about the NSA capabilities, denying the truth is absolute ignorance.

John Dingler, artist

The NSA,  but also the many other American based and global spy agencies such as Stratfor, Army Intelligence, NRO, CIA, ChoicePoint, are desperate to recruit as many tech-savvy adults and children, even those who are inherently predisposed to be prurient Peeping Toms, to peek into bathrooms via your portable devices as well as through your iMac’s camera before which you may be half dressed. Just think of the jollies new recruits would get even as they were getting paid by our tax dollars. Spending on these big questionable spy programs is modifying our definition of what is “big gub’mnt” and about gov. programs financed by what Bagger McConnell loves to call “wasteful spending.”

The internet was supposed to be free. My and your expectation of privacy is being violated by serial and obsessive, Tourette Syndrome-like, intrusions on privacy on persons via cameras, on communication via Facebook and email, on thoughts via keystrokes, and on behavior via cell towers.

jhorvatic

They need physical access to your phone before they can do anything.
I don’t know about you but my phone is in my pocket or in my house. So either they break into my house or physically attack me to get to my phone.
Neither one has happened so I’m not worried.
Now that Apple knows about this program it will close the door on it anyways. But the real fact remains they need to physically handle your phone before they can do anything.

John Dingler, artist

By the way, I am honoring exceptional whistleblowers and/or promoters of free access to taxpayer-owned information, in a series of ten artworks which I call Ten Prosecuted Whistleblowers. They are Edward Snowden, Chelsea Manning, Julian Assange, Daniel Ellsberg, Thomas Drake, John Kiriakou, Jefferey Sterling, Jeremy Hammond, Aaron Swartz, and Philip Agee.

The web page containing them, 90% complete, can be viewed here:
< http://www.johndinglerart.com/ >

These individuals are important as they serve as counterbalance to NSA facilitators such as California Senator Dianne Feinstein who never saw a spy or military program that could not financially benefit her husband’s investments thus votes for them.

She is now in the process of studying with NSA how to codify, firm up, NSA’s surveillance, making most of its method legal what is currently either illegal or questionable.

It’s almost enough to throw away my iPhone and speak to people person-to-person and all that entails, you know, like Mafia dons.

Lee Dronick

  In a public statement Apple said, “We do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order.”

What about indirect access?

John Dingler, artist

Hi jhorvatic,
Indeed, yes, one of the ways is to gain physical access to a device, and now we know that the NSA has the motive, means, and the opportunity to gain that very access. It merely pays people/companies off to divert the iPhone, iMac, iPad and likely the Mavericks Pro to an NSA facility to plant either code or a Peeping Tom device inside it, repackage it so that the intrusion is undetectable—which may mean it has developed access to pristine packaging from one of Apple’s packaging subcontractor in Asia—and reship it to the customer.

Another way to gain physical access to the device is to slyly enter entry into the home which, as reports show, it has done, it considers the target to be significant.

geoduck

They need physical access to your phone before they can do anything.

I wouldn’t count on that. I’ve seen enough exploits over the years from hitting a bad web site or malware embedded in legitimate software packages to make that an iffy assumption. Also I’ve hacked into enough systems remotely (at work, it was legit) to worry about it. If someone like me can do it, then pro’s can do a quantum level more.

They are Edward Snowden, Chelsea Manning, Julian Assange, Daniel Ellsberg, Thomas Drake, John Kiriakou, Jefferey Sterling, Jeremy Hammond, Aaron Swartz, and Philip Agee.

They are the real heroes of out time. Very nice work.

geoduck

John Dingler
Do you have a permanent link to the Ten Prosecuted Whistleblowers page that I can post?

John Dingler, artist

Hi Lee,
*LOL* Yeah, lawyer language can make a seemingly culpable company seem innocent and, even when they tell the truth, they may not truly mean it or, more likely, make the agreement have all kinds of provisional restrictions and outright loopholes. Apple’s private lawyers seem to be doing better now against Samsung, so they must be experts in this.

John Dingler, artist

Hi Geoduck,
Yeah, that’s my home page which always contains my current work, so I designate the Current Work page as the first page people visit at that URL, allowing me to avoid the intro, splash screen.
< http://www.johndinglerart.com/ >
But maybe I don’t understand. I am always glad when people appreciate my work.

geoduck

I was just thinking that in a few months it won’t be ‘current’ work. Assuming it’s OK with you, post the home page on Tumblr, and then update the link as needed down the road.

John Dingler, artist

Hi Geoduck,
Yes, indeed. I would be thrilled if you posted these victims of the NSA/CIA on Tumbler or any other site you wish. So, I will duplicate that page and add it to the Completed > 2D menu and post the link for you shortly.

adamC

Hi Geoduck,

I don’t doubt. You are one of the best in hacking but I believe otherwise when it comes to an iPhone.

Since we are at it publish some of your exploits for us to see and then we will believe it is easy to hack an iPhone remote.

Why not reverse engineer iOS 7 and show us where the exploit is.

If this Appelbaum is that good a hacker he should be able to prove it without having to hide behind his ‘I can’t prove it’ and his crack that Apple write shitty codes.

geoduck

adamC
Actually that’s the point, I’m not. I’m just an IT guy that knows a few tricks. I’d barely qualify as an amateur script kiddie. Just know how much I can accomplish with the little I know. I also, however read reports from Black Hat conferences and keep an ear out for exploits. There’s a LOT of vulnerabilities out there and it’s quite clear that a lot more go unreported.

gnasher729

This is what Davey Ho said: “The above comment is either a feeble attempt by a NSA agent, or a display of ignorance by a low information voter. There is absolutely NO doubt about the NSA capabilities, denying the truth is absolute ignorance.”

That’s what I say: Davey, your post is both insulting and stupid. You read and believe what you read as long as it is sensational enough, but you are actually clueless. And you will deny the truth, because you read something that was both on the internet and sensational, so it must be true. You sound like someone who gets their technical knowledge from CSI and “Persons of Interest”.

iPhones until 2008 had no encrypted memory. That was introduced with the iPhone 3GS. Before that, an attacker with physical access and some technical knowledge could read and write any file on an iPhone, if necessary by removing the flash memory from the phone and transplanting it into another device. No doubt the NSA was capable of doing that. Since the iPhone 3GS, it is not possible anymore. Only the iPhone itself can read the flash memory inside that iPhone. No way around it. At that point the NSA lost most of its capabilities. Anyone at the NSA saying “we can crack any iPhone” had to eat crow. They might be able to destroy data on any iPhone, but so can I, using a hammer.

Once you have a passcode, only software signed by Apple can access any data on the phone, unless they are lucky enough to guess the passcode in ten guesses. Use an eight or ten digit passcode, _nobody_ can access any data without the passcode. There has been no remote exploit for ages. Jailbreaks are closed as soon as they happen. And every time information goes public, it tells Apple what to do: Make sure that the phone is reset and wiped completely when you setup your AppleID.

You seem to think that the NSA employs some magic fairies that can get around the law of pyhsics. They don’t. They have some big computers that can’t crack iPhone encryption. They have some pretty clever guys that can exploit mistakes that you make, but they can’t do magic.

droid

gnasher729 don’t place all your faith in iOS features that are not relevant.

Once a device is attacked the in memory encryption is useless. The device can be instructed to do the NSA’s bidding any encrypted data can be decrypted on the device.

The passcode lock has been shown to be vulnerable in previous OS releases. How certain are you that the same isn’t true now?

Physical access to a device also opens it up to USB attacks in the OS, the boot loader and the SIM. There is also the issue that the NSA can attempt ‘man in the side’ attacks via the network connections and use malicious wifi and cellular towers to deliver exploits to the baseband. You do realise that cellular networks are incredibly insecure & broken…
http://www.youtube.com/watch?v=5B7XyVWgoxg (13:00 - 19:00 shows a SIM getting pwned - iOS gives no warning unlike the ancient Nokia).

Apple’s software certificates are also irrelevant when you have gained full system access, why do you think jailbreakers get accused of piracy so often? Once again, full system access circumvents Apple’s security features. All you need is an initial weakness.

iOS 7 has been jailbroken as have the previous OS versions. It means there is a known flaw available to someone with physical access. The jailbreakers also find other attacks once a system has been opened up, why do you assume the NSA doesn’t have departments working on this too? When the NSA hoards these vulnerabilities it means another party can also discover & use them hurting American companies & American users.

As you noted several remote iOS jailbreaks would only need you to open a page in a web browser, that means the entire OS could be compromised over a network connection, do you still have complete faith in Apple’s technical skills to evaluate the open tools & libraries it relies on?

Go watch the full videos, it’s clear that the NSA has funded backdoors into open source software, does Apple know about them & does it fix them all? Apple left OS X users with compromised BIND installations for months after critical vulnerabilities were announced & patched elsewhere.

Pwning BIOS’s, modifying HD firmware, inserting active or passive sensors, using network cards & web cameras invisibly are all some of the topics revealed by the NSA’s own slides in the CCC presentations.

Watch the CCC videos they may open your eyes a little, either all these researchers are being duped or the NSA really can access any iPhone they want. Combine the above info with what is already known about Prism etc which is most likely?

There are also leaked NSA documents dating back to 2010 detailing ‘scripts’ that gather data from iOS, so much for the ‘Apple magic’ in the 3GS that encrypted everything back in 2008.

I sure hope your little ‘it’s encrypted’ comfort blanket can block radio waves since a Faraday cage is the only way to truly secure an iOS device.

adamC

Droid

So far there is no way to remote hack iOS, maybe android .

If there is a way it will make headlines and not dubious claims.

If Applebaum a hater can’t substantial the the NSA can hack an IOS device what makes you think someone can.

Btw all the claims made by people like Charlie Miller require one’s action or stupidity and not magic.

droid

adamC, can you provide links to information that prove “there is no way to remote hack iOS”?

I haven’t said the opposite is true, I simply said that it was possible to remote hack iOS once and may be possible again. Android isn’t relevant to this topic at all, neither is Charlie Miller.

The video I mentioned above has a demo that uses a cellular base station to install a java app onto a SIM card. It looks like it worked on iOS with no warning, the app sends location data over SMS.
The demo is messy & looks like it fails, but the principle is clear… there are many vectors for attack on these devices.
How can you be sure that your carrier isn’t using weak SIM card security or the baseband (the modem that runs 24/7) isn’t flawed?

Is the same true of the Wifi, Bluetooth & the GPS radios? You have to evaluate ALL of these before you can claim iOS can stand up to remote attacks from the NSA - the NSA appears to have an unlimited budget.

Whilst a remote attack on iOS would hit the headlines, there is more value in not disclosing & using it as a ‘zero day’ if you are in the spying business, these researchers are not claiming they have a remote exploit for iOS, they are simply passing on the info the NSA docs claim -

[the NSA] “…have been able to successfully install the software on every iPhone they want.”

Remote exploit or not, if they want the data on the device they will get it, isn’t that a concern for any iOS user?

Kim Lucus

iKeyMonitor runs secretly in your iPhone. It records everything. You can use it to monitor your family members. When you suspect your spouse is cheating on you, you can use it to find out the truth which will help you to clear suspicions.

Log-in to comment